[El-errata] New Ksplice updates for UEKR4 4.1.12 on OL6 and OL7 (ELSA-2017-3640)
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Tue Nov 14 06:20:58 PST 2017
Synopsis: ELSA-2017-3640 can now be patched using Ksplice
CVEs: CVE-2016-9191 CVE-2017-12192 CVE-2017-2618
Users with Oracle Linux Premier Support can now use Ksplice to patch
against the latest Oracle Linux Security Advisory, ELSA-2017-3640.
INSTALLING THE UPDATES
We recommend that all users of Ksplice Uptrack running UEKR4 4.1.12 on
OL6 and OL7 install these updates.
On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.
Alternatively, you can install these updates by running:
# /usr/sbin/uptrack-upgrade -y
* Kernel hang in directory entry invalidation race.
A race condition when calling d_invalidate() could result in a kernel
hang and then panic due to watchdog timeout. A system under heavy I/O
load could become unresponsive and hang under specific conditions.
* CVE-2017-12192: Denial-of-service when reading negative key.
Invalid memory access when reading key negative from kernel key management
facility results in a crash. An unprivileged local user can exploit this
to cause denial-of-service.
* CVE-2016-9191: Denial-of-service when using sysctl concurrently.
A refcounting error in sysctl handling could lead to an infinite loop if
unregister_sysctl_table() is called concurrently with sysctl actions
from userspace. An attacker could use this flaw to cause a
* CVE-2017-2618: Information leak in SELinux attribute handling.
An off-by-one error in SELinux attribute handling can cause sensitive
information to be leaked from the kernel. A local attacker could use
this flaw to facilitate an exploit.
* Task hang in virtual memory adjustment under load.
Incorrect locking could result in deadlock and a task hang when
adjusting virtual memory areas under system load.
* Infiniband failures with sendonly multicast joins.
Incorrect handling of sendonly multicast joins could result in
networking failures on Infiniband setups.
Ksplice support is available at ksplice-support_ww at oracle.com.
More information about the El-errata